In the ever-evolving landscape of cloud security, making informed decisions about your infrastructure is paramount. While Azure Firewall might seem like the default choice for protecting your Azure environment, recent findings and the experiences of frustrated cloud operations teams suggest it might be time to consider a more robust solution. The good news is that you may be surprised to hear it is a more cost-effective alternative too. This post dives into why Codify is advocating for a shift from Azure Firewall to Fortinet’s Fortigate firewalls in Azure.
The security effectiveness of Azure Firewall has recently come under scrutiny. The Q1 2025 Comparative Test Report on Cloud Network Firewalls (CNFW) from CyberRatings.org paints a concerning picture. Azure Firewall scored 0% in security effectiveness and was labelled Caution after testing with the CyPerf tool.
Beyond these concerning test results, our own experience and that of other cloud and cyber operations professionals managing existing Azure deployments often leads to frustration due to limitations like:
- Delayed Logging: Real-time visibility is crucial for effective security. We’ve consistently observed a 2 to 5-minute delay in Azure Firewall logs appearing in Log Analytics workspaces. This lag significantly hinders immediate threat detection and response, making troubleshooting a tedious and time-sensitive process.
- Complex Log Analysis: Analysing Azure Firewall logs requires intricate KQL (Kusto Query Language) queries. This demands specialized knowledge and experience within your cloud team, potentially creating silos and inconsistencies when your wider firewall footprint relies on different query languages and skillsets.
- Lack of meta data: All next generation firewall products provide rich means for describing objects in your network and the protocols you use. This allows you to write expressive and easy to understand firewall rules and this greatly accelerates troubleshooting. Azure Firewall is limited to IP Groups only.
It’s Not All Bad… But
We acknowledge that Azure Firewall is better than having no firewall at all. It’s a common initial deployment choice, particularly during proof-of-concept or pilot Azure migrations where the use case and scope might be limited.
However, as your Azure footprint matures and your security requirements become more critical, we strongly advocate for making the transition to a more robust solution as part of your investment in building out your landing zones.
The good news is that adopting these advanced firewall solutions can be done rapidly. You can easily leverage PAYG (Pay-As-You-Go) licensing for Fortigates on Azure directly through the Azure Marketplace, offering flexibility and scalability.
The Argument for Change: Consistency is Key
Our primary recommendation is rooted in simplicity and security. Use the same firewall in the cloud as you do on-premises. Leveraging existing familiarity, management tools, and skillsets in your organisation leads to a simpler implementation and streamlined path to operations that combined result in a more secure hybrid cloud environment. The best choice for your organisation will ultimately depend on your pre-existing infrastructure and the expertise of your security and cloud teams.
Will I Miss Out on the Tight Integration to Azure? Think Again.
Traditionally, one might hesitate to move away from a native Azure service due to concerns about losing tight integration. However, this is no longer a significant barrier. At Codify, we’ve strategically partnered with Fortinet to build comprehensive Azure solutions that are the full package so you aren’t losing any integration as part of the change. Our focus has been on delivering seamless integration with crucial Azure services, including:
- High Availability: Ensuring continuous protection for your critical workloads.
- Authentication: Integrating with Entra ID for consistent identity management.
- Automation: Leveraging Azure services and Fortinet APIs for automated deployment and management.
- Microsoft Sentinel Integration: Feeding Fortigate logs directly into Sentinel for unified security monitoring and incident response.
- Azure SDN Connection: Remove the need to manage the default route to the firewall for your Azure workloads and have them secured by default.
For a deeper dive into how we’ve achieved this integration, we invite you to explore our previous technical articles:
- FortiGate vs. Azure Firewall: How to Choose the Best Firewall for Microsoft Azure Security
- Deploying FortiGate’s on Azure with ExpressRoute & Azure Route Server
- User Group Presentation: Optimising Firewalls on Azure for Secure, Scalable Hybrid Networks
Have Your Cake and Eat It Too? Yes!
What if we told you that you could not only enhance your Azure security posture but also potentially save money by shifting from Azure Firewall to an Azure Fortigate solution?
We recently worked on an SDWAN project for a customer where we made precisely this transition. By moving away from ExpressRoute combined with Azure Firewall to a comprehensive Fortigate solution in Azure, we were able to achieve a remarkable 19% saving on the total solution cost (including Azure resources and Fortigate licensing) over a 5-year period. This real-world example demonstrates that a move to Fortigate can be both a security upgrade and a financially prudent decision.
We understand that migrating firewalls can seem complex. That’s why we’ve developed an automated solution to streamline the process, ensuring a rapid and efficient transition. Our expertise extends to migrating your existing firewall rules and re-establishing your Azure connectivity configurations within the Fortigate environment, minimising disruption and maximising security from day one.
Ready to take your Azure security to the next level and potentially reduce costs? Contact the experts at Codify today to learn more about our managed Fortigate Firewall as a Service and our automated migration capabilities.